57/69 Thursday, January 29, 2026
Researchers from Kaspersky have identified that the Mustang Panda threat group has released a new version of its CoolClient backdoor, adding enhanced capabilities to steal browser login data and monitor clipboard contents. The observed attacks primarily target government organizations in Myanmar, Mongolia, Malaysia, Russia, and Pakistan. The attackers leveraged software from a cybersecurity and cloud computing company as a delivery vector to distribute the malware.
New capabilities introduced in this version of CoolClient include a clipboard monitoring module to capture copied data, active window title tracking, and credential interception from HTTP proxy traffic through direct packet inspection. The backdoor’s plugin system has also been expanded to support file management, service management, and a remote shell for executing commands remotely. In addition, researchers observed the deployment of three infostealer variants designed to harvest login credentials from Chrome, Edge, and other Chromium-based browsers.
For data exfiltration, the attackers refined their techniques to evade detection by using embedded API tokens to upload stolen data to public file-hosting services such as Google Drive and Pixeldrain, making the traffic appear like normal user activity. The malware maintains persistence by modifying the Windows Registry and creating Windows services, and it also supports User Account Control (UAC) bypass to elevate privileges and sustain access.
